Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 23, 2017 1:31 PM
Hi,
We're in the process of enabling DNSSEC for all zones of our Active Directory domain. We use Windows Server 2012 R2 domain controllers and DNS servers.
So far, I've been able to sign several of our DNS zones. Many of those zones are part of a multi-level hierarchy, like:
mydomain.com
+-> site.mydomain.com
+-> department.site.mydomain.com
etc.
DNSSEC validation works fine as long as we publish trust anchors for each signed zone. However, the expected behaviour is to rely on DS records published in a parent zone to validate the trust of a subdomain.
Our problem is that no DS record was ever added to any parent zone. I can see valid dsset-* and keyset-* files are created in the C:\Windows\system32\DNS folder, but there is no DS record on the DNS server. I tried to re-sign the zone with
Invoke-DnsServerZoneSign -ZoneName mydomain.com -DoResign -Force
But it did not change anything. All zones were signed with default parameters, and we have one KSK and one ZSK for all zones.
The official documentation states that:
*
*
Apparently, something is not working as expected. Do you have any clue about what's going on ?
Thanks,
Marin.
All replies (4)
Thursday, September 14, 2017 10:23 PM ✅Answered
Hi Marin,
The child DS needs to be imported into the parent zone. Please see: https://technet.microsoft.com/library/dn593672.aspx#DS%C2%A0
Let me know if you have questions.
Thanks,
-Greg
Wednesday, May 24, 2017 6:54 AM
Please check if the following link is helpful:
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, May 24, 2017 9:03 AM
Hi Candy,
Thank you for the link but I think I know how DNSSEC works. I have a very specific issue with DS records which should be created automatically at zone re-signing according to Microsoft documentation, but are not. I wonder why. Can you help me ?
Thanks,
Marin.
Monday, May 29, 2017 9:35 AM
>>I have a very specific issue with DS records which should be created automatically at zone re-signing according to Microsoft documentation, but are not.
Based on the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].